Australia's Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there's a lot of responsibility on each organisation to secure the data it holds.
The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.
What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.
Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.
In addition to notifying individuals affected, under the scheme, organisations must provide recommendations on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.
"The NDB scheme formalises an existing community expectation for transparency when a data breach occurs," Pilgrim told ZDNet. "Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm."
Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt from the NDB.
In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.
Examples of a data breach include when a device containing customers' personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.
An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.
The NDB scheme uses the phrase "eligible data breaches" to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.
An enforcement body -- such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission -- does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.
Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.
If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.
In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.
As the NDB dictates an objective benchmark in that the scheme requires a "reasonable person" to conclude that the access or disclosure is "likely to result in serious harm", Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term "likely" to mean more probable than not -- as opposed to merely possible.
"Serious harm" is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Information about an individual's health; documents commonly used for identity fraud including a Medicare card, driver's licence, and passport details; financial information; and a combination of types of personal information -- rather than a single piece of personal information -- that allows more to be known about an individuals can cause serious harm.
In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.
THE NOTIFICATION PROCESS
Agencies and organisations that suspect an eligible data breach may have occurred must undertake a "reasonable and expeditious assessment" based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.
If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.
Organisations disclosing a breach must complete the Notifiable Data Breach statement -- Form which can be found here.
The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.
Entities have 30 days to conduct an assessment if they are unsure a breach meets the threshold of an eligible data breach. As soon as they believe a breach is an eligible data breach, they must notify individuals and the commissioner as soon as practicable.
The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify -- including notifying individuals whose data has been somewhat exposed.
Failure to comply with the NDB scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences.
Gilbert + Tobin's Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.
If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.
"Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation's bottom line of consumer trust in an organisation's data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches," Fai added.
"The effects of the data breach on Equifax last year and its response are a case in point."
THE ROLE OF THE INFORMATION COMMISSIONER AND THE OAIC
The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.
The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.
A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia's mandatory data-retention laws being implemented.
HOW TO GET READY
According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.
Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.
"This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people -- such as from IT, legal, cybersecurity, public relations, management, and HR -- together to respond effectively," Fai told ZDNet.
It wouldn't hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.
"It is also important that an organisation's personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity's policies and procedures on what to do next," Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.
DOES YOUR BUSINESS HAVE A EUROPEAN CONNECTION?
From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.
Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.
Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
"In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes -- although the two regimes contain different requirements, they are not mutually exclusive," Fai added. "However, when it comes to data breaches, the high watermark of compliance is complying with the European regime."
Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.
"When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn't possible," Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.
"The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist."
Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.
"Most organisations don't have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event," he explained.
"Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.
Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.
"The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed," Pilgrim added. "By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place."